> -----Original Message-----
> From: Michele M. Jordan [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, 20 April 2000 7:32 AM
> To: [EMAIL PROTECTED]
> Subject: Question about L2F Tunnels
>
>
> Okay, I had a major provider who is doing Access VPNs tell a
> customer this:
>
> It is their
> statement that encryption is not necessary since it is
> not leaving the <provider's>
> network. The tunnel will provide the necessary security
> is their position.
> I then asked her if security wasn't necessary, then why
> do we need the
> tunnel? She said to that: "well the tunnel provides the
> necessary security,
> so encryption isn't necessary since it is going from
> router to router and
> that's the only connection that is possible.
This is clearly an email from someone _other_ than the provider concerned
and therefore is not a direct quote. Insert my grain of salt here. What they
could be trying to say is this:
L2F does not offer data encryption. L2F _does_ offer encapsulation of SLIP
or PPP packets through a cloud to make it just as if you had dialled your
home access-server via a local call.
This is analagous to "normal" PPP dialup - that goes through a service
provider and could easily be snooped as well. If you don't encrypt for nomal
dialup but you want encryption for L2F then you have an inconsistent view
regarding how much your information is worth.
The attacks against L2F are mostly concerned with getting access to a tunnel
when you shouldn't - the same sort of attacks that people can carry out
against any dialup server. Password guessing, stealing laptops etc etc etc.
>
> This is financial data via a dial-up to a provider pop, provider
> forwards an L2F tunnel request to my customer, my customer
> accepts the tunnel request, authenticates via remote Radius, and then
> initiates the tunnel. If we did do encryption, it would need
> to be from
> the provider pop to my customer's router.
Yup, that's L2F alright. However with that sort of setup, if you did
encryption then you would need to do it host-to-host so that the PPP packets
were secure before they left the remote node. L2F won't encrypt for you.
If you want encryption you could maybe look at IPSec at the node itself or
at the provider's POP. I guess you could push L2F packets through an IPSec
(or something) tunnel as well. Weird idea though.
>
> I think encryption is necessary, what do you think?
I have no idea. The test is the same as always though - if your data is
worth more than the effort required for somebody to acquire it then encrypt.
Assess the possibility of your provider (or someone else, by hook, crook or
court order) sniffing the data in transit.
If the data doesn't ever traverse the Internet things might look pretty good
for you. Barring catastrophic compromise of their network nobody except the
provider or law enforcement (or the NSA etc ;) can get at the data. If you
don't use encrypted phones / dialup lines then I wouldn't worry.
>
> -Michele
>
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
